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Abstract 

00 

(-—V Alice and Bob want to share a secret key and to communicate an independent message, both of which they 

(^ desire to be kept secret from an eavesdropper Eve. We study this problem of secret communication and secret key 

PsJ generation when two resources are available - correlated sources at Alice, Bob, and Eve, and a noisy broadcast 

,— H channel from Alice to Bob and Eve which is independent of the sources. No other resource, in particular, no 

^ other channel is available. We are interested in characterizing the fundamental trade-off between the rates of the 

secret message and secret key. We present an achievable solution based on a separation architecture and prove 

'■ its optimality for the parallel channels and sources case when each sub-channel and source component satisfies a 

I— I degradation order (either in favor of the legitimate receiver or the eavesdropper). 

i-H I. Introduction 

Q The fact that a noisy channel can be used as a resource for secure communication was recognized 

' — ' by Wyner in his seminal work "The Wire-tap Channel" [IJ where he considered secure communication 
^H over degraded broadcast channels [2]. It was generalized by Csiszar and Korner [3] to cover all broadcast 
<^ channels. 

^ Analogously, Ahlswede and Csiszar flU and Maurer ||5l recognized that dependent source observations 

1^ available at the terminals can be used as a resource for generating a secret-key (a uniform random variable 
shared by Alice and Bob which is oblivious to Eve) if the terminals can communicate over a noiseless 
public channel (which delivers all its input faithfully to all the terminals including the eavesdropper). In [4], 



a 
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QQ the secret-key capacity of dependent sources was characterized if a one-way noiseless public channel from 

O Alice to Bob and Eve of unconstrained capacity is available. The characterization for the case when there 

> is a constraint on the capacity of the public channel was later found by Csiszar and Narayan [6] as a 

k> special case of their results on a class of common randomness generation problems using a helper. 

^ We would also like to note that many authors have contributed to the literature on secret-key generation 

when a two-way public discussion channel is available (in the context of both the sources and channels) 

which still remains an open problem in general. However, two-way communication is outside the scope 

of this short note. 

Instead, we focus on scenarios where both secret communication and secret key agreement are desired 
in the presence of both correlated sources and a (one-way) noisy broadcast channel. This paper builds 
on our earlier work on secret communication and key generation using both sources and channels in ^. 
Another related recent work is jSJ which independently investigates secret key generation in a similar 
setting. 

We consider the problem where Alice wants to send Bob a message that needs to be kept perfectly 
(information theoretically) secret from Eve, and in addition, Alice and Bob want to agree on a key 
that should also be kept perfectly secret from Eve. The only resources available for achieving this are 
correlated sources at all three parties and a broadcast channel from Alice to Bob and Eve. Note that we 
do not assume the availability of a public discussion channel. One motivation for considering this is that 



in many contexts (e.g. sensor networks), there is no noiseless public channel directly available, and it is 
not necessarily optimal to realize a noiseless channel from the noisy channel. Thus, one would like to 
determine conditions under which noiseless channel realizations would or would not be optimal. 

We present a separation strategy which converts Alice's noisy broadcast channel into a public and 
private bit pipe both of which deliver bits input to them faithfully to Bob. Moreover, bits sent over the 
private bit pipe are perfectly secret from Eve, but there is no secrecy guarantee on the bits sent over the 
public bit pipe. With the help of these bit pipes, the sources are then used to generate additional secrecy. 
We show that our separation strategy is optimal for the parallel channels and sources case when each 
sub-channel and source component satisfies a degradation order (either in favor of the legitimate receiver 
or the eavesdropper). Our results establish that under certain source and channel conditions, realizing 
noiseless public and private channels from a noisy broadcast channel is optimal for the communication 
of both secret key and secret messages. 
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Fig. 1. Problem setup: Alice and Bob want to share a key K and independent message M, both of which they want to be kept secret from 
Eve. Alice has a memoryless broadcast to Bob and Eve, and all three have correlated memoryless sources. 



II. Problem Setup 

Notation: We denote random variables by upper-case letters {e.g., X), their realizations by lower-case 
letters {e.g., x), and the alphabets over which they take values by calligraphic letters {e.g., X). A vector 
(Xfc,Xfc+i, . . . ,X„) will be denoted by X^. When k = \, the subscript will be dropped as in X" = 
(Xi,X2, . . . jX"). 
We make the following assumptions on the channel and sources: 

• The channel and the sources are memoryless. 

• The channel is independent of the sources. 

• The number of source observations is the same as the number of channel uses available. Note that 
we allow all the sources to be observed ahead of time in the sense that the input to the channel may 
depend on the block of source observations. 

The assumption on the number of source observations and channel uses can be easily relaxed and is made 
here only for reducing the notation. However, the independence assumption is critical to the results we 
present here. The memoryless assumption is useful for getting simple closed-form single-letter expressions. 

We consider the following model. Alice, Bob and Eve observe, respectively, the dependent memoryless 
processes (sources) SA,k-, SB,k-, SE,k, where k = 1,2,... is the time index. They have a joint distribution 
PSa,Sb,Se o^^r the alphabet SaX <Sb x <Se- Independent of these sources, there is a memoryless broadcast 
channel from Alice to Bob and Eve given by py,z\x, where Xk is the input to the channel, Yk is Bob's 
output, and Zk Eve's. We will also allow Alice to have access to a private random variable ^a which is 
not available to Bob and Eve and which is independent of all other random variables. Alice may use this 
private random variable for purposes of randomization. 

For e > 0, a random variable U is defined to be e-recoverable from another random variable V if there 
is a function / such that Pr(f/ ^ f{V)) < e. Suppose the parties make n observations of their sources, 



and Alice sends an n-length input X" to the channel. The input is a function of her observation 5*^, the 
secret message M which is uniformly distributed over its alphabet M. and independent of the sources 
and channel, and the private random variable $^ available only to Alice. We say that K = g{S%^A), 
for some g, is an t-secret-key if it is e-recoverable from 5^, F", satisfies the secrecy condition 

-I{M,K-Z-,Sl)<e, 
n 

and the uniformity condition 

-HiK) > -log|/C|-e, 
n n 

where fC is the alphabet over which K takes its values. We define (-RsK.e, Rsu,e) to be an e-achievable rate 
pair if there is an e-secret-key K^ such that -H(K^''^^) = Rsk,€, the secret message M is e-recoverable 
from {¥"-, S^), and ^\M\ = RsM,e- A rate pair {Rsk, Rsm) is said to be achievable if there is a sequence 
of e„ such that {RsK,e„-,RsM,e„) are e„-achievable rate pairs, and as n ^ cxd, 

e„ — s> 0, RsK,e„ -^ Rsk, and -RsM.en -^ Rsm- 

We define the rate region 7?, to be the set of all achievable rate pairs. 

III. Results 

Let V be the set of all joint distributions p of random variables f/i, V^i, V2, X, Y, Z, Sa, Sb, Se such that 
Ui and (V^i, V2) are independent, the following two Markov chains hold 

Ui — Sa — {Sb, Se), 
V2-Vi-X-{Y,Z), 

the joint distribution of (5*^, Sb, Se) and the joint conditional distribution of (F, Z) given X are consistent 
with the given source and channel respectively, and 

I{V^-Y)>I{U^-Sa\Sb). 

For p E V, let 7l{p) be the set of all non-negative pairs (-Rsk, -Rsm) which satisfy the following two 
inequalities 

Rsm<I{Vi;Y)-I{U,;Sa\Sb), (1) 

Rsk + Rsm < [/(^i; YlV^) - !{¥,; Z\V2)]+ + [/(f/i; Sb) - I{Uu Se)]+, (2) 

where \x\^ = max(0, x). The next theorem states that all pairs of rates belonging to 'Tl{p) are achievable. 
A sketch of the separation scheme which achieves this is presented in section lIV] and a complete proof 
in appendix |A} 

Theorem 1. 

7^^ [jn{p). 

Remark: It can be shown that in taking the union above, it suffices to consider auxiliary random variables 
with a sufficiently large, but finite cardinality. This can be shown using Caratheodery's theorem (see [[3l, 
for instance). 

The next theorem states that the above inner bound to the trade-off region can be used to derive a 
tight innerbound for the parallel channels and sources case when each sub-channel and source component 
satisfies a degradation order (either in favor of the legitimate receiver or the eavesdropper). 

Theorem 2. Consider the following: 



(i) The channel has two independent components^denoted by F and R: X = {Xp, X/j), Y = (Yp, Yr), 
andZ = {Zp, Zp.) such that pyfXr,Zf,Zb\Xf,Xr = Pyf,Zf\XfPyr,Zr\Xr- Moreover, the first sub-channel 
F is degraded in favor of Bob, which we call forwardly degraded, and the second sub-channel R is 
degraded in favor of Eve, which we call reversely degraded; i.e., Xp — Yp — Zp and Xr — Zr — Yr 
are Markov chains. 
(ii) The sources also have two independent components, again denoted by F and R: Sa = {Sa,f, Sa,r), 
Sb = {Sb,f,Sb,r), and Si? = {Sp^p,Se,r) with psa,Sb,Se = PSa,f,Sb,f,Se,fPSa,r,Sb,rSe,r- The first 
component is degraded in favor of Bob and the second in favor of Eve; i.e., Sa,f — Sb,f — Sp^p and 
Sa,r — Se,r — Sb,r are Markov chains. 
In this case, 

n=[jn{p), 

peP 

where V is the set of joint distributions of the form Pv2,XfPyf,Zf\XfPxrPyr,Zr\XrPUi\Sa,fPsa,f,Sb,r,Se,r 
PSa r,Sb r,Se r ^'^d TZ{p) is the set of non-negative pairs of {Rsk, Rsm) satisfying 

RsM < I{Xp- Yp) + I{Xr- Yr) - /(f/i; SaASb,f), and (3) 

RsK + Rsu < nXp; Yp\V2) - I{Xp- Zp\V2) + /(f/i; SbASe,f). (4) 

Remarks: 

• Note that the degradedness conditions above may be relaxed to stochastically degraded conditions. 
i.e., the inner bound is tight as long as there are fp, gp, /r, and gR such that 

Pzf\Xf{z\x) = ^PYF\XF{y\x)fF{z,y), 
y 

PSE,F\SA,FisE\sA) = ^PSB,F\SA.FisB\sA)gF{sE,SB), 

SB 

PYR\XR{y\x) = ^pzB]XR{z\x)fR{y,z), and 

z 
PSb.rISaA^bIsa) = ^PSE,R\SA,RisE\sA)9R{sB,SE). 

SE 

• Consider the case when the sources are reversely degraded, i.e., Sa — Sp — Sr is a Markov chain. 
Then the theorem implies that the optimal strategy involves ignoring the sources. However, the 
condition under which, given only the sources and a public bit-pipe from Alice to Bob and Eve, 
Alice and Bob cannot generate a positive rate secret-key is in fact weaker than the sources being 
reversely degradeq^ Under this weaker condition, it was shown in [|71 that the optimal strategy 
involves ignoring the sources, and utilizing only the channel. In particular, TZ{p) is now the set of 
all non-negative rate pairs satisfying the condition 

RsK + Rsm = [I{Vi; Y) - I{Vi; Z)] + , 

where Vi — X — (Y, Z) is a Markov chain. Thus the optimal strategy in this case reduces to that of 
Csiszar and Komer [|3l and there is essentially no distinction between sending a secret message and 
generating a secret-key. 

'We denote the channel input, outputs, and the sources using bold letters to make this explicit. 

^This condition which can be inferred from |4| is that for every Ui, U2 satisfying the Markov chain t/2 — C/i — Sa — {Sb, Se), 

I{UuSb\U2)<I{Ui;Se\U2). 



• On the other hand, when the channel is reversely degraded, as will become clear from the discussion 
of the achievable strategy in section |IV} the theorem implies that turning the channel into a public 
bit-pipe is optimal. Reverse degradation is a condition under which the channel resource by itself 
cannot provide any secrecy. But note that the condition under which the channel resource cannot 
provide any secrecy is looser than reverse degradation. This condition is when the channel to Eve 
is 'less noisy' than the channel to Bob 01 Corollary 3, pg. 341]. Under this looser condition, but 
when the reversely degraded source component is absent, the optimality of turning the channel into 
a public bit-pipe was shown in {T\ for secret-key generation. In the special case where Eve has no 
source observation, this optimality was shown for secret communication as well. 

Proof of Theorem |2]- We prove this theorem in appendix |Bj 

> A Gaussian example: 

Let us consider a scalar Gaussian example. Suppose the observations of Alice and Bob are jointly Gaussian. 

Then, without loss of generality, we can model them as 

Sb = Sa + ^source; 

where Sa and A^source are zero mean Gaussian. Let A'source be unit variance, and let the variance of 5*^ be 
SNRsic- Let Eve have no source observation. Suppose that the broadcast channel has additive Gaussian 
noise with a mean-squared power constraint on X of SNRBob- Let 

Y = X + A^Bob, and 

Z = X + A^Eve, 

where Asob and Anve are Gaussians independent of X, and such that Afiob has unit variance and Aevb has 
a variance SNRBob/SNREve- We have the following proposition which is proved in appendix |CJ 

Proposition 3. The rate region IZ for this problem is set of all non-negative {Rsk,Rsm) pairs satisfying 

RSM < 7T log 



2 "^ 1 + SNR.rc + mm{SNRBob, SNRev 



■e)' 



„ ^1 (1 + SNR,,c){l + SNRBob) exp(-2i?sM) - SNR 

RSK < 7T log 



src 



2 ^ l + mm{SNRBob,SNRE,e) 

Remark: When Eve also has a source observation jointly Gaussian with the observations of Alice and 
Bob, the problem is covered by the cases in Theorem [2} However, unlike in the proposition above, we 
were unable to show that a Gaussian choice of the auxiliary random variables is sufficient. 

IV. The Separation Strategy 

A sketch of our scheme follows. The details are taken up in appendix |A} 
Sketch of proof of Theorem [7]- 

We follow a separation strategy. Using the channel, we will first create two bit pipes - a secret bit 
pipe (SBP) and a public bit pipe (PBP) of rates -Rsbp and -RpBP, respectively, such that bits input to 
these bit pipes are delivered with small probability of error to Bob. The security guarantee is that mutual 
information between the message sent over the SBP and everything Eve has access to is vanishingly 
small (i.e., o{n)). No such guarantee is made about the bits sent over the PBP. But unlike in [[31, we do 



not require that the bits sent over PBP be recovered by Eve. Fig. IV shows the setting after the channel 
has been used in this way. Note that the secrecy guarantee depends on the two messages being nearly 
independent and the message over the public bit pipe being nearly uniformly distributed over its alphabet. 




Fig. 2. Rate region TZ for the Gaussian example. Notice that as the SNReve is decreased the rate region enlarges. 



M 



Alice 



^SBR, 
~SBP 



RpBP 



SV 



Bob 






Eve 



M,K 



Fig. 3. Separation architecture: Using the channel, we create two bit pipes - a secret bit pipe (SBP) and a public bit pipe (PBP) of 
rates Rsbp and -Rpbp, respectively, such that bits input to these bit pipes are delivered with small probability of error to Bob. The security 
guarantee is that mutual information between the message sent over the SBP and everything Eve has access to is vanishingly small. No 
such guarantee is made about the bits sent over the PBP. But unlike in (Sj, we do not require that the bits sent over PBP be recovered by 
Eve. This is denoted by the dashed link to Eve. 

But these details will be suppressed in the sketch. See appendix |A] for a complete proof. We state the 
following claim (which is stated more precisely and proved in appendix |A]) 

Claim 1 : For any given joint distribution of random variables Vi , V2 , X, Y, Z such that V2 — V1 — X — (Y, Z) 
is a Markov chain and the joint conditional distribution of {¥, Z) given X is consistent with the given 
channel, then using the channel, we may achieve the following (-Rsbp, -Rpbp) 

Rsbp = [/(V^i; Y\V2) - /(V^i; Z\V2)]+ 
-RpBP = I{Vi:, Y) — Rsbp, 



where [x]+ = max(0,a;) 



We will use the channel interface from the claim above with V^i, V2,X from p. Let us consider a pair 
{Rsm,Rsk) G T^{p) {i-e., which satisfies ([T]) and ([2])). We split into two cases: (a) _Rsm > -Rsbp. and (b) 
RsM < Rsbp, and consider them separately. 

Case (a): In this case, all of the secret bit pipe is used to send the secret message. Having done this, 
we still need to send an additional rate i?sM = -Rsm — -Rsbp of the secret message and generate a secret 



key of rate Rsk- We will do this by first generating a secret key of rate -Rsk + -R'sm t>y consuming only 
-Rpubiic = -RpBP — -R'sm <^f the public bit pipe rate. Out of the secret key so generated, a rate Rsk will 
be designated as the secret key output by the terminals, and the rest at a rate of R'c,f^ will be used to 
one-time -pad the part of the secret message still to be sent. This one-time-padded message will be sent 
over the the remaining R'c^^^ of the public bit pipe rate. We use the following claim. 
Claim 2: With sources available at the parties as in our problem setup, and a public bit pipe of rate R 
available from Alice to Bob and Eve, for any joint distribution Pui,Sa,Sb,Se satisfying the Markov chain 
f/i — Sa — (Sb, Se), the following secret key rate is achievable 

[IiU,;SB)-I{Ui;SE)]+, 
provided the public bit pipe rate satisfies 

I{U,;Sa\Sb)<R. 
Noting that ([T]) implies 

1(^1', Sa\Sb) < I(Vu Y) — RSM = RpBP + -RSBP — -RSM = -Rpublic, 

and that ([2]) implies 

[/(f/i; Sb) — I{Ui; Se)]+ > -Rsk + -Rsm — -Rsbp = -Rsk + -Rsmj 

completes the argument. 

Case (b): In this case, all of the secret message is sent over the SBP. This leaves us with a rate on SBP 
of -RsBP — -RsM left over. Using this along with the PBP of rate -Rrbp and the sources, we need to generate 
a secret key of rate -Rsk- Thus, a total of i? = -Rsbp — -Rsm + -Rrbp = -^(^i; Y) — -Rsm is available to send 
the public bits generated in claim 2. From ([T]) we can conclude that this rate is sufficient 

1(^1] Sa\Sb) < -^(^i; y) — Rsm = -Rpbp + (-Rsbp — -Rsm)- 

Thus, we can generates a secret key of rate [I{Ui;Sb) — I{Ui;Se)] + - As we argue in the appendix, 
independent of this secret key is the part of the public bits which are sent through the SBP which can 
also be treated as a secret key. Thus, the total secret key rate achieved 

[/(f/i; Sb) - I{Ui; Se)U + Rsbp - Rsm = [I{Ui; Sb) - I{Ui; Se)]+ + [I{Vi; ¥{¥2) - I{Vi; Z\V2)]+ - Rsu 

which by (|2]) meets the required secret key rate of i?sK- Note that, if the public bits generated do not fill 
up the SBP, we send additional independent random fair-coin tosses to make up the deficit so that all of 
the bits left over in SBP after sending the secret message can be used as part of the secret key. 

V. Discussion 

In this work, we have presented a general achievable strategy for secret message and secret key 
communication from Alice to Bob when Alice, Bob, and Eve share a correlated source and Alice has a 
noisy broadcast channel to Bob and Eve. We have shown this strategy is optimal when Eve's source and 
channel are degraded versions of Bob's, as well as for cases in which either Bob's source or channel is 
by itself useless in generating a secret key. The strategy presented is a separation strategy that converts 
Alice's noisy broadcast channel into a public and private bit pipes, over which the sources can then be 
used to provide additional secrecy for both secret key and secret message. 

It remains to be seen whether this separation strategy is optimal in general. The answer to this question 
is the subject of ongoing work. 



Appendix A 
Proof of Theorem [H 

Lemma 1: For any given joint distribution of random variables Vi, V2, X, Y, Z such that V2—Vi—X—{Y, Z) 
is a Markov chain and the joint conditional distribution of {¥, Z) given X is consistent with the given 
channel, we may achieve using the channel the following (-Rsbpj -Rrbp) pair. 

RsBP = [I{Vi- Y\V2) - I{Vi; Z\V2)] + 

-RpBP = I{Vl\ Y) — -RsBP- 

i.e., given any 5 > 0, for sufficiently large n and random variables Wpnvate, W/pubiic distributed over alphabets 
{1,2,..., 2"'^sBP} and {1, 2, ... , 2"^pbp} respectively such that they satisfy 

n-^H{W^,^^,) > RpBP - 6, and (5) 

n'^IiWpMic] VFprivate) < 5, (6) 

there exist blockcodes with decoders W^pnvate : 3^" ^ {1, 2, . . . , 2"^sbp| and Wp^ic : 3^" ^ {1, 2, . . . , 2"^pbp| 
such that 

P{Wp,mc{Yn ^ W^pubiic) < ^. (7) 

P(W^pnvate(l^") + W^private) < 5, (8) 

n-^/(lVprivate;^")<8(5. (9) 

Proof of Lemma 1: If I{y\\Y\y-2) — /(^i; Z; V2) < 0, the claim follows from the achievability part of 
Shannon's channel coding theorem. Hence, let us assume that /(\/i;F|V2) — I(yi;Z\V2) > 0. Let us 
divide VFpubiic into two parts lypubiica and Wpubiicb such that they are random variables distributed over 
the sets {1, . . . ,2"^p"''"'^''} and {1, . . . ,2"^p"''"'^''}, where -Rpubiic.a and -Rpubiic.b are non-negative satisfying 
i?PBP = -Rpubiica + -Rpubiicb- This can be done, for instance, by using a bit-representation of the message 
M^pubiic and defining the first ni?pubiic,a bits to be VFpubUca and the rest to be VFpubiicb- Now, it is easy to see 
that the properties below follow from ([5]) and ([6]). 

n-^H{Wp^biic,b) > Rpubiic.b - S, (10) 

n"^/(Wpubiic,a; W^pubiicb) < S, and (11) 

n"^/(Wpublic,a, W^publicb; W^private) < S. (12) 

For i G {1, . . . ,2"^p"''''"}, generate codewords V2^ independently and randomly according to the 
distribution 



Y[P(V2 = V2,S))- (13) 



i=l 



Let us call this collection of codewords, the Cpubiica codebook. For each codeword V21 E Cpubiica^ for 
j E {1, . . . , 2"^p"™"=} and k E {1, . . . , 2"^p"'''"^''}, generate codewords f^.^^ independently and randomly 
according to the distribution 

n 

l[P{Vi = V,^,,kAW2 = V2,S)) . (14) 

1=1 

Let us call this the Cpnvate, pubiic,b(^2,^) codebook. Let V^ be the codeword indexed by VFpubUca in the CpubUca 
codebook and let ]/{" be the codeword indexed by (VFprivate, W^pubiic,b, M^pubiica) in the Cprivate,pubiic,b(^") 



codebook. The input to the channel X" is obtained by sending the codeword V-[^ through a memoryless 
channel with conditional distribution px\Vi which is simulated at the encoder. 

By standard applications of the asymptotic equipartition property (AEP) and jointly typical decoding 
given F", one can show that for all 6 > 0, the values 

RpuUic,. = IiV2;Y)-5 (15) 

Rpuhiic,b = IiVr,Z\V2)-6 (16) 

RsBP = I{Vu Y\V2) - I{Vu Z\V2) - 6 (17) 

result in decoding error probabilities vanishing as n ^ oo. Since the above gives 

RPBP = i?pubiic,a + i?pubiic,b = I{Vi; Y) - [I{Vi; Y\V2) - I{Vi; Z\V2)] - 2S, 
it only remains to show that the secrecy condition (|9]) is satisfied. 

H{Wpnva.te\Z'^) > -f^(W^private|^", W^public,a) 

= H(y{^, PVprivate, ■Z'"|PVpublic,a) " H{Z"' \Wpubiic,a) — H {V^" \Wpnvate , ■Z'", VFpublic,a 

> i/(V;"|l^pubHc,a) + H{Z^\V,", W^publica) " i/(^"| W^pubHc,a) " i^ ( V^" | W^private , ^", Wpublic.a) 

= i/(V;"|H^public,a) + H{Z^\Vn - i/(Z"| Wpublica) - i^(V^l1W^private, ^", W^publica)- (18) 

From the AEP, one can show that 

n~^H{Z"\V^^) -^ H{Z\Vi). (19) 

Similarly, using the AEP one can show that jointly typical decoding of V^ given VFprivatej M/pubiica; Z^ 
results in a vanishing error probability with the blocklength, and combining this with Fano's inequality 
yields 

n-'H{V^\W,,^a,,, Wp^biica, ^") -^ 0. (20) 

Likewise, using AEP and the fact that 

-^(W^publica! W^publicb, W^private) = -^(W^publica! W^public.b) + -^ ( W^public.a ! W^private | W^public.b ) 

< -^(W^publica! W^publicb) + -^ ( W^public.a , W^publicb! W^private) 

< 2n6, 

where the last inequality follows from ( [TT] ) and ( [121 ), oris can show that 

n-ii7(Z"|iyp„biic,a) -^ H{Z\V2). (21) 

Also, 

H {yi\W pahlica) = H(y{', VTpublica, W^public.b, W^private) — -^(W^public.a) — H(Wp„uic,b, W^privatelW^, W^public.a) 
= -ff(VFpublic,a, W^publicb, W^private) — -^^ ( W^public, a) — -^^ ( M^public.b j W^private | ^l" , W^public,a) 
= -ff(PVpublic,b, W^private) — -^ ( W^public,a ; M^public,b, W^private) " -f^ ( W^public.b 5 W^private | W^ , W^public.a) 
= H{Wpnvate) + -f^(M^public,b) — -^(W^public.b; M^private) 

— -^(W^public.a; W^public.b, W^private) — -f^ ( W^public,b , W^private | V^^ , W^public.a) 
> H{Wpn^ate) + '^^public.b - 5n5, (22) 



where we used the AEP and (|T0|)-([T2|) in the last step. Combining ( [T6| ) and ([T8])-([22|) gives, for all 5 > 
and sufficiently large n, 

/(H^private; Z^) < 8n6. (23) 



Lemma 2: Consider any joint distribution PUi,Sa,Sb,Se satisfying the Markov chain Ui — Sa — (Sb, Se) 
such that I(Ui]Sb) > I{Ui]Se)- With sources available at the parties as in our problem setup, and a 
bit pipe of rate R = I{Ui;Sa\Sb) available from Alice to Bob and Eve, the following secret key rate is 
achievable 

I{Ui;Sb)-I{Ui;Se). 

Specifically, for all (5 > and sufficiently large n, there exists an encoding function ?/; : 5^ — > {1, . . . , 2"^} 
and decoding functions Ka: {l,-.., 2"^} x 5;^ ^ {1, . . . , 2"(^(^i''5s)-^(f^i;5fi)-5)}^ Kb : {1, ... , 2"^} x 
S'^^il,..., 2<^(^^'^b)-i{Uv,Se)-s)^ such that 

P{KAmSl), 52) ^ Kb{HS1), ^S)) < 5, (24) 

and the following conditions are satisfied: 

n-'l{KAmS^), SI); ^(S^), 5^) < 5, (25) 

n-'li^{S^y,S^E)<6, (26) 

n-'HiKAiHSl), S^)) > /(t/i; Sb) - /(f/i; Se) - 26, and (27) 

n-'Hi^iS"^)) > I{Ur; Sa\Sb) - 6. (28) 

Proof of Lemma 2: The result follows from achievability proof of flU Theorem 2.6, p. 348]. ■ 

We will now use the above two lemma to prove our achievability result. From ([T]) and ([2]), it is clear 
that it is enough to show the achievability of pairs (Rsm, Rsk) £ T^ip) for which ([2]) holds with equality. 
We split into two cases depending on whether Rsm is larger than i?sBP in lemma 1 or not. 
Case 1 (-Rsm > -Rsbp): We split the secret message into two independent parts M = (Msbp, MpBp) of 
rates -Rsbp — ^ and i?si^ — 6 = Rsm — Rsbp — 5, respectively, such that these messages are also uniformly 
distributed over their alphabets. Consider the key Ka{iP{Sa)) generated by Alice in lemma 2; let us denote 
this key with a little abuse of notation by Ka- Let us split the key into two parts Ka = {K, Kqjp) of 
alphabet sizes 2"(^sk) ^nd 2"'^^sm-^), respectively. We may do this, since, by ([2]) (which we assumed holds 
with equality) 

Rsk + -Rsm = -^sk + -Rsm — -Rsbp 

= [IiUi;SB)-IiUi;SE)] + . (29) 

We make the following choices 

W^private = MsBP, and 

W'public = itpiSl),KoTP © MpBP, $a), 

where © stands for bit-wise XOR, and $^ is a local Bernoulli(^) binary string of length n(_RpBp — 
/(f/i; Sa\Sb) — R'sm) produced by Alice independent of the secret message and the source. In choosing 
W^pubiic as above, we made use of the fact that 

-RpBP — H^i, Sa\Sb) — -Rsm = -Rpbp + -Rsbp — -^(f^i; Sa\Sb) — -Rsm 

= IiV^;Y)-I{U,;SA\SB)-RsM 
>0, 



where the inequality follows from ([T]). From the independence of Msbp, Mrbp, S^ and $^, and ([28]), it is 



easy to verify that this choice satisfies the conditions ([5])-([6]) required in lemma 1. With high probability. 
Bob can recover (PVprivate, W^pubik) (by lemma 1) and Ka = {K, Kqjp) (by lemma 2). Bob declares K to 



be the secret key (note that K is only a function of 5*^ and independent of the message M as required). 
He also recovers MpBP by undoing the bit-wise XOR and thus can output M. To verify the uniformity 
condition on the secret key K, we note that (see (|29])) 



[/(f/i; Sb) - /(f/i; Sb)] -5 = Rsk + R'sm " <^ 



> n'^H{K) + n-^H{Kojp) > n-^H{K, Kqtp) 

>[IiUi;SB)-nUi;SB)]-25, 



n 



-'H{K, 



where the last inequality is p7] ). This implies that 

n-'H{K) > RsK - 5, 
n-'H{KoTp) > R'sM - 2'^, 
n-'l{K;KoTp)<6, 



(30) 
(31) 
(32) 



the first of which provides the uniformity condition on i^. It remains to see that the security guarantee is 
met. 

I{M, K- Se, Z^) = /(MsBP, MpBP, K; S% Z") 

= /(MsBP; SI, Z") + /(MpBP, K- SI, Z"|Msbp). 

The first term can be upperbounded as follows 



/(MsBP;5^,^") 



-f ( "^private i ^E^ ^ 



< /(VFprivate; 
(a) 



+ /(Mprivate; Z ; Se) 



= n85 + /(MsBP, i^iS'l), MpBP © i^oTP, $a; S^) 

(b) 

< n86 + n5, 

where in (a) we used (|9]) to bound the first term and the fact that Z" — (^private, M/pubiic) — 5*]^ is a Markov 
chain, in (b) we used the independence of Msbp, Mpbp, $a from the sources and ( |26l ). Now, to bound 
the second term from upstairs 

J(MpBP, K; S% Z"iMsBp) < /(MpBP, K- SI, Z^ Msbp) 

= J(MpBP,ir;^^,Z",Wpri™te) 



(a) 



< /(MpBP, K;Se, W^public, M^privati 

= J(MpBP,ir;5^,^(5^),MpBP 

ib) 



Kqtp, $^, Msbp) 



= J(MpBP, K; SI, 7/>(^2), MpBP © i^oTp) 

< /(MpBP, K- MpBP © i^OTp) + /(MpBP, K, MpBP © i^oTP; SI, ij{Sl)) 

= /(MpBp; MpBP © i^oTp) + I{K; i^oTPlMsBp) + /(Mpbp, K, Kotp; S^, ^{SD) 
= H{Mpsp © i^oTp) - H{KoTp) + I{K; Kotp) + I{K, Kotp; S^, ^{SD) 



(c) 

< 7235, 



where, (a) follows from the fact that Z" — (VTpubiic, W^prWate) — {K, Se, Msbp) is a Markov chain, in (b) 
we used the independence of (MpBp, $a) from Msbp and the sources, and in (c) we used the fact that 
the first term is rii^sM ~ ^' '^he second and third terms were upperbounded using pT] ) and ([32]), and the 
last term using ([25]). 



Case 2 {Rsm < Rsbp)- If HUi]Sa\Sb) > Rsbp - Rsm, we split ipiS^) into two parts ^(5*^) = 
(V'SBP, V'PBp) such that their alphabets are {1,2,..., 2"(^sbp-Rsm)} and {1, 2, ... , 2"(-^(^i;^^l^s)-RsBP+iJsM)}^ 
respectively. Let us, further define r^sBp = ^sbp and r/pBp = (V^pbp, ^a), where $^ is a local Bemoulli(^) 
binary string of length n(RpBp — I{Ui; Sa\Sb) + Rsbp — Rsm) produced by Alice independent of the 
secret message and the source. In doing this, we made use of Q which implies that 

i?PBP + i?sBP - /(f/i; Sa\Sb) - Rsm = /(^i; Y) - I{U,; Sa\Sb) - Rsm > 0. 



Using ( [28] ) in a manner similar to how ([30l)-([32|) were derived from pTj ), we can show that 

n-^H{r]sBp) > Rsbp - Rsm ~ 5, (33) 

n-^H{T]PBp) > RPBP - S, and (34) 

^~^^('7sBp;^PBp) < 5. (35) 

If /(f/i; Sa\Sb) < RsBp-RsM, let us define ?/'sbp = ^{Sa) and ^rbp = 0, and further, r^sBP = (V^sbp, ^a) 
and r^pBP = ^a, where $^ and $^ are local Bernoulli(|) binary strings of lengths n(RsBP — Rsm — 
/(f/i; Sa\Sb)) and ra_RpBp produced by Alice, independent of each other and of the secret message and 



the source. In this case, it is easy to infer ([33|)-([35]) from ([28]). Now, we make the following choice 

private = {M,r]sBp)^ and 

W^public = ''^PBP- 



Using ([34[)-([35[) and from the independence of M from the sources, we can conclude that this choice 
satisfies the conditions ([5|)-([6|) of lemma 1. Hence, by lemma 1, with high probability. Bob recovers the 
secret message M and the pair (?7sbp,'7pbp)- Since this pair contains ^(5^), Bob can also recover Ka 
with high probability by lemma 2. Hence Bob can successfully recover (with high probability) the secret 
key which we define in this case to be K = {tisbpiKa)- To verify the uniformity condition for K, we 
note that 

n-^H{K) = n-'H{KA) + n-'H{r]sBp) - n-'l{KA; r^sBp) 

> n-'H{KA) + n-'H{7]sBp) - n-'l{KA; V^(S^)) 

> [/(t/i; Sb) - /(f/i; Se)U + Rsbp - Rsm - 4(5, 

where in the last step, we used ( [27] ), ( [33] ), and ( [25] ), respectively, to bound the terms. Since the K defined 
above has a cardinality of [/(f/i; Sb) — I{Ui] Se)\+ — 5 + -Rsbp — -Rsm, and 

RsK = [I{Ui; Sb) - I{Ui; Se)U + [^(^i; >^l^2) - HV,; Z\V2)]+ - Rsm 
= [liUi; Sb) — I{Ui; Se)]+ + Rsbp — -Rsm, 
it only remains to check the secrecy guarantee. 

/(M, K; SI, Z^) = liM, r]sBP, Ka; SI, Z^) 
= /(Wprivate, Ka; SejZ"') 

< /(Wprivate; Se, Z"') + I{Ka; Se, Z"^ , VTprivate)- 

We bound the first term as follows 

/(W^private; ^^, ^") < /(W^private; Z^) + /(H^private, Z^; S^) 
<n8(5 + J(Wprivate,l^public;5^) 

= n85 + I{M,^{Sl),^A,^'A;Sl) 

(c) 

< n86 + n6. 



where in (a) we used Q to bound the first term and the fact that Z" — (PVpnvate, W^pubiic) — 5*^ is a Markov 



chain, in (b) we used the independence of (M, $^, $'^) from the sources, and (c) follows from ([26]). We 
bound the second term from upstairs as follows 

(a) 
I{Ka; S^.Z"', W^private) < I{Ka'-, S^, Wpnvate, W^public) 

(c) 

where we used the fact that Z" — (lypdvate, W^pubiic) — {Ka, S%) is a Markov chain to get (a); in (b) we 



used the independence of (M, $^, $'^) from the sources; and (c) follows from ( |25| ) 



Appendix B 
Proof of Theorem [2] 
The achievability follows directly from the separation scheme of Theorem [T] Independent channel codes 
are used on the two parallel channels with Vi^p = Xp, V2,f = ^^ ^i,/? = X^, and V2,k = constant. This 
gives the following rates for the secret and public bit pipes. 

RsBP = [I{Xf- Yf\V2) - I{Xf; Zf\V,)U, 
RPBP = I{Xf- Yf) + I{Xr- Yr) - i?sBP. 

The reversely degraded source component is ignored, and we choose Ui^p = Ui and f/2,F = constant 
for the code for the forwardly degraded component. It is easy to see that with these choices lZ{p) is 
achievable. 

To show the converse, let J and J' be independent random variables both uniformly distributed over 
{1, 2, . . . , ra} and independent of all other random variables. To get the first condition (ignoring o{n) 
terms) 

n(/(X^,j; Yf^j) + I{Xr^j- Yr^j)) > nI(Xj; Yj) 

>nI{Xj;Yj\J) 
>/(X";Y") 

= /(X"; Y", Z^) 

= J(M,i^,S:^,X";Y",Z^) 

> I{M, K, S'X; Y", Z^) 

> I{M, K, SI; Y^ Z^) - I{Sl, S^; Y", Z^) 

^=^/(M,ir,S:^;Y^Z^|SS,S^) 

= /(M;Y^Z]^|S^^,S^) + /(i^,S:^;Y^Z]^|SS,S^,M) 

^^ H{M\S],, SI) + liK, SI, Y", Z^\Sl, SI, M) 
= H{M) + I{K, S'l; Y", Z^|S^, S^, M) 
= ni?sM + I{K, SI, Y", Z^\Sl, SI, M) 

where (a) is due to the sub-channel F to Eve being degraded w.r.t. the channel to Bob, (b) is because 
(S^, Sg) — S^ — (M, K, Y", Zp) is a Markov chain, and (c) follows from Fano's inequality which gives 



if (M|Y", S^) = o{n). Now, to bound the second term, we write 

= i7(Y", Z^|S^, S^, M) - /7(Y", Zps'^lK, M, S^, S^, S^) 

> i/(Y", Z;;;|SS, S^, M) - H{K, Y", Z^IS^^, S^, S^, M) 

^^ i7(ir, Y", Z^|S^, S^, M) - /7(ir, Y", Z^\S% 8% S^, M) 

^=^/(M,i^,Y",Z^;S:^|S^,S^) 

> /(M, ir, Y", Z«; ^^Fl^Iij, S^^, S^) 

n 

= 2_^ ^[^1 ^1 Y , Zp] OA,F,i\^A,Fi ^A,Ri ^B,Fi ^E,f) 

1=1 
n 

i=l 

= ^ -^(^, K, Y", Z]J., S^pi, Sp^p-^, S'Ipi^; SA,F,i\SB,F,i, SE,F,i) 

1=1 
= nI{Ui] Sa,f,j'\Sb,f,j', Se,f,j'), 

where (a) follows from Fano's inequality which implies that H{K\Y'^,S^) = o(n), (b) follows the 
independence of M from (S^^, S^, S^), and we define S^^p- = {S'j^}, 5S,F,^+l)' Sp^p- = {S'^}, S^,^,,+i), 
and Ui = {M,K,Y^, Zp,S^ pj,,Sp pj,,S''^j^,J'). Note that this Ui does indeed satisfy the condition 
Ui - Sa,j' - (Sbj', Se,j'). To get condition 2, 

n{RsK + Rsm)< I{M, K; Y", Z^, S^, S^) 

^^ /(M, K; Y", Z^, SI, S^) - I{M, K; Z", S^) 

^=^^ I{M, K- Y", Z]^, SS, S^) - I{M, K- Z", Y^, S^) 

< /(M, i^; Y", Z-p, S% SI) - I{M, K- Z^, F^^ S^) 

'^ I{M,K-Y^,Sl^p\Y^,Zl,Sl) 

= I{M, K- Y'^\Y^, Zl, SI) + I{M, K- S^,^|Y", Z]^, S^) 

< /(M, K, SI, YS, X-p- Y^\Zl) + I{M, K- Sl^p\Y\ Z^, S^) 

n 



J(X]^; F;^|Z]^) + > /(M, iT; 5b,f,|Y", Z^p, S'^'p, S^] 



j=l 

n n 

= i7(F;^|Z^) - Y, H{YfAXf,, Zf,) + ^ I{M, K- 5B,i.,.|Y^ Z^, ^i,;],, S^) 

i=l i=l 

n n n 

— /_^ H{YF,i\^F,'i) + 2_^ H{YF,i\XF,i, ZF,i) + 2_^ ^{^1 ^1 Y", Zp, S^^F'ii ^E,F,1,^A,R'^ SB,F,i\SE,i 
1=1 j=l j=l 

< nI{Xpj; YpjZpj, J) + nI{Ui; Sb,f,j'\Se,f,j') 

= n{I{Xpj; Ypj\V2) - I{Xpj; Zpj\V2)) + nI{U,- Sb,f,ASe,f,j') 



where V2 = J, (a) follows from the hypothesis /(M, K; Z", S^) = o{n), (b) from the fact that /(M, K; Y^\Sl, Z") 
= 0, which we show below, and (c) from the Markov chain (M, K, Y'^, Z^, S^) - 5^^ - 5g^. 

= I{Sl, M, K- y^|Z") i /(S^, S:^, M, K; r^lZ") > /(M, iT; F^|S^, Z") , 

where (a) follows from the Markov chain S^ — (S^, M, K) — Z" — Y^. By non-negativity of mutual 
information, /(M, K] Y^\S'%, Z") = as claimed above. 

Thus, we have shown that if (_Ri, R2) E TZ, then there must exist independent random variables Ui and 
V2 such that f/i - Sa - (Sb, S^) and V2 - X - (Y, Z) are Markov chains and 

RsM < I{Xf, Yf) + I{Xn; Yr) - I{Ui; Sa,f\Sb,f), 
RsK + RsM < I{Xf\ Yf\V2) - I{Xf- Zf\V2) + /(f/i; Sb,f\Se,f). 

The form of the right hand sides above further allow us to assert that the Ui above may be independent 
of Sa,r- This completes the proof. 

Appendix C 
Proof of Proposition [3] 

While we stated the Theorems [T] and |2] only for finite alphabets, the results can be extended to continuous 
alphabets. We note that the scalar Gaussian problem satisfies the conditions of Theorem |2] (along with 
Remark 1 following it). 

Observe that in the notation of Theorem 2, Sa,f = Sa and Sb,f = Sb- Further, Sa,r, Sb,r, Se,f, and 
Se,r are absent (assumed to be constants). When, SNRnve > SNRBob. we have Xj^ = X, Yr = Y, and 
Zji = Z, and the forwardly degraded sub-channel is absent (again, we may take the random variables of 
this sub-channel to be constants). When SNRBob > SNREve, we have Xp = X,Yp = Y, and Zp = Zand 
the reversely degraded sub-channel is absent. Hence, from theorem 2, 7?. is given by the union of TZ^p) 
over all joint distributions p. Also, 'R{p) is described by 

i?SM < I{Xr, Yp) + I{Xn; Yr) - I{Ui; Sa\Sb), (36) 

RsK + RsM < nXp; Yp\V2) - l{Xp- Zp\V2) + /(f/i; Sb). (37) 

When specialized to the Gaussian case above, it is easy to see that 

I{Xp-Yp) + I{XR-Yn)<Cy, and 
I{Xp; Yp\V2) - I{Xp; Zp\V2) < [Cy - Cz]+, 

where Cy = \ log(l + SNRBob) and Cz = \ log(l + SNReve)- These bounds are simultaneously achieved 
when p is such that V2 is a constant and X is Gaussian of variance SNRBob- Hence, we may rewrite, the 
conditions above as 

Rsu <Cy- I{U,- Sa) + I{Ui; Sb), (38) 

RsK + RsM < [Cy - Cz]+ + /(f/i; Sb). (39) 

Now we show outerbounds to the above iZ{p) which match the two conditions in proposition |3| It will 
also become clear that a jointly Gaussian choice for p in fact achieves these outerbound thus completing 
the proof. We first derive an upperbound on Rsu which matches the first condition in proposition [3j From 
the two inequalities ( [38] ) and ( [391 ) above, we have 

Rsu <Cy- I{Ui; Sa) + /(f/i; Sb), (40) 

RsM<[Cy~Czh + IiU,;SB). (41) 



Using entropy power inequality, 

exp{2h{SB\U)) > exp(2/i(^A|t/)) +exp(2/i(iVsource)) 



Using this in ( [40| ), we may write 

exp(2i?sM) < exp(2(Cy + I{Ui; Sb) - HSa))) {exp{2{h{SB) - I{Ui; Sb))) - exp(2;i(iV,o,,,e))) 
= exp(2(Cy - h{SA) + KSb))) - exp(2(Cy - h{SA) + /^(iVsource))) exp(2J(f/i; Sb)) 

< exp(2(Cy - K^Sa) + KSb))) - exp(2i?SM) exp(2(Cy - [Cy - Cz]+ - HSa) + /^(iVsource))), 

where (a) resuhs from ( |4T] ). Rearranging, we have 

exp(2(Cy - HSa) + HSb))) 



-RsM < 



1 + exp(2(Cy - [Cy - Cz]+ - HSa) + ^(iVsource))) 
(l + SNRBob)(l + SNRs,c) 



1 + SNR,,c + min(SNRBob, SNReve) 
which is the first condition in proposition |3j Now let us fix Rsm such that it satisfies this condition. Let 



us rewrite ( [38] ) as follows 

HSa\U) > {Rsm - Cy + HSa) - HSb)) + HSb\U). 
Entropy power inequality implies that 

exp{2HSB\U)) > exp{2HSA\U))+exp{2HNsource)) 

> exp(2(i?sM -Cy + HSa) - HSb))) exp(2/i(^B|[/)) + 1. 
Since 

P (l + SNRBob)(l + SNR,,,) ^1^ (l + SNRBob)(l + SNR,,,) u^\^u^\ 

^SM < . , g^,p . ■ .g^,p ^Tf^ — V < 7^ log ^^^^^ =Cy - HSa) + HSb), 

1 + SNRsrc + mm(SNRBob, SNREve) 2 SMR^rc 

we have 

exp(2/t(5s|t/)) > — — — . 

1 - exp(2(i?sM - Cy + HSa) - HSb))) 

From (|39]), 

exp(2i?sK) < exp(2([Cy - Cz]+ + /i(5ij) - HSb\U) - Rsm)) 

< exp(2([Cy - Cz]+ + HSb) - i?SM))(l - exp(2(i?sM - Cy + HSa) - HSb)))) 

< exp(2([Cy - Cz]+ - Cy))(exp(2(Cy + HSb) - Rsm)) - exp(2/i(^A))) 

which evaluates to the second condition required. The inequalities used above are tight under a Gaussian 
choice for the auxiliary random variable which proves the achievability. 
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